Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to combine duplicate fields in the same event into one field?

weznagwama
New Member
‎08-30-2015 05:38 PM

Hey Guys,

I have events that contains the same field, like so:

12/08/2015 1:03:03 PM Server="exchange" User="admin@domain.com" Identity="bigstring=" Cmdlet="Set-DistributionGroup" Param="-IgnoreNamingPolicy 'True'" Param="-Identity 'Distro Group'" Success="True" Error=""

So as you can see, my event has 2 param fields for the "set-distributionGroup' cmdlet.

I am wondering how to combine this field into one. Thanks!

Tags (3)
0 Karma
Reply

somesoni2
Revered Legend
‎09-01-2015 07:19 AM

If you logs have the format mentioned above (key-value pair), Splunk should've extracted a multivalued field Param already, which will contain both the Param values. Try running this and see if you can see both values under same field name.

your base search | table Param
0 Karma
Reply

krishnarajapant
Path Finder
‎08-30-2015 09:41 PM

Hi weznagwama,

I think you can use "makemv" command with "delim" by mentioning the seperator.

| makemv delim="-" Cmdlet | top Cmdlet

-Krishna Rajapantula

0 Karma
Reply

weznagwama
New Member
‎09-01-2015 09:25 PM

Hey mate, thanks for the reply, I've unfortuntaely got stuck on something else relating to powershell scripts running so can't test this yet....until I get the powershell script working. Will post back once I do.

0 Karma
Reply

sduff_splunk
Splunk Employee
Splunk Employee
‎08-30-2015 09:17 PM

if you are not getting two Params being field-extracted, you could use a rex and an eval

| rex field=_raw "Param=\"(?<p1>[^\"]*)\" Param=\"(?<p2>[^\"]*)\"" | eval param=p1.p2
0 Karma
Reply

weznagwama
New Member
‎08-30-2015 09:32 PM

Hey mate,

Thanks for the reply.

Let's assume an event has '4' seperate Params.

Is there a way to field extract to match all? Or would I just have to say regex 10 params, eval p1...p10, to catch up to 10 params?

The issue being that not all events have 2 params...some could have 1 or some could have 6. Thanks again.

0 Karma
Reply

sduff_splunk
Splunk Employee
Splunk Employee
‎08-30-2015 09:47 PM

If you don't know how many parameters you are going to have, you can have all the params extracted into a multi-value field called 'oneparam', and then use mvjoin to put them into a single parameter (called params). Each field will be separated by a space.

| rex max_match=0 field=_raw "Param=\"(?<oneparam>[^\"]*)\" | eval params=mvjoin(oneparam, " ")
0 Karma
Reply

weznagwama
New Member
‎09-01-2015 09:25 PM

Thanks for the reply, I've unfortunately gotten stuck on attempting to get a powershell script working (turns out it's quiet difficult.) Will post back once I get that going. Cheers.

0 Karma
Reply
Register for .conf25!
Get Updates on the Splunk Community!

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

  Now On Demand  Stay ahead of today’s evolving threats with the combined power of the Splunk Threat Research ...

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Automated Archival is a new capability within Metrics Management; which is a robust usage & cost optimization ...

Calling All Security Pros: Ready to Race Through Boston?

Hey Splunkers, .conf25 is heading to Boston and we’re kicking things off with something bold, competitive, and ...
li.common.scroll-to.top